Fix tls mode ca and external

Signed-off-by: Tamal Saha <[email protected]>

apis/installer/v1alpha1/ace_options_types.go

@@ -191,7 +191,7 @@ type AceOptionsNatsSettings struct {
 type AceOptionsPlatformInfra struct {
 	StorageClass  LocalObjectReference         `json:"storageClass"`
 	KubeStash     KubeStashOptions             `json:"kubestash"`
-	TLS           AceOptionsInfraTLS           `json:"tls"`
+	TLS           InfraTLS                     `json:"tls"`
 	DNS           InfraDns                     `json:"dns"`
 	CloudServices AceOptionsInfraCloudServices `json:"cloudServices"`
 }
@@ -217,12 +217,6 @@ type KubeStashBackendInfra struct {
 	GCS store.GCSSpec `json:"gcs"`
 }
 
-type AceOptionsInfraTLS struct {
-	Issuer      TLSIssuerType `json:"issuer"`
-	Acme        TLSIssuerAcme `json:"acme"`
-	Certificate TLSData       `json:"certificate"`
-}
-
 type AceOptionsInfraCloudServices struct {
 	Provider ObjstoreProvider        `json:"provider"`
 	Objstore AceOptionsInfraObjstore `json:"objstore"`

apis/installer/v1alpha1/helpers.go

@@ -0,0 +1,23 @@
+/*
+Copyright AppsCode Inc. and Contributors
+
+Licensed under the AppsCode Community License 1.0.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+func (i InfraTLS) MountCACerts() bool {
+	return i.Issuer == TLSIssuerTypeCA ||
+		i.Issuer == TLSIssuerTypeLEStaging ||
+		(i.Issuer == TLSIssuerTypeExternal && i.CA.Cert != "")
+}

charts/ace/templates/_helpers.tpl

@@ -139,10 +139,6 @@ Returns the ServiceMonitor labels
 {{- printf "%s-nats-cred" (include "ace.fullname" .) -}}
 {{- end }}
 
-{{- define "settings.caProviderClass" -}}
-{{- if (has .Values.global.infra.tls.issuer (list "ca" "letsencrypt-staging")) }}{{ include "ace.fullname" . }}{{end -}}
-{{- end }}
-
 {{/*
 Determine database host name
 */}}

charts/ace/templates/ingress/ca.yaml

@@ -1,4 +1,10 @@
 {{- if and (eq .Values.global.infra.tls.issuer "ca") .Values.global.infra.tls.ca.cert .Values.global.infra.tls.ca.key }}
+
+{{- $data := dict
+    "tls.crt" .Values.global.infra.tls.ca.cert
+    "tls.key" .Values.global.infra.tls.ca.key
+}}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,5 +13,5 @@ metadata:
   labels:
     {{- include "ace.labels" . | nindent 4 }}
 type: kubernetes.io/tls
-stringData: {{ dict "tls.crt" .Values.global.infra.tls.ca.cert "tls.key" .Values.global.infra.tls.ca.key | toJson }}
+stringData: {{ $data | toJson }}
 {{- end }}

charts/ace/templates/ingress/caprovicerclass.yaml

@@ -13,4 +13,21 @@ spec:
     kind: Issuer
     namespace: {{ .Release.Namespace }}
     name: {{ include "ace.fullname" . }}
+
+{{- else if and (eq .Values.global.infra.tls.issuer "external") .Values.global.infra.tls.ca.cert }}
+
+apiVersion: cacerts.csi.cert-manager.io/v1alpha1
+kind: CAProviderClass
+metadata:
+  name: {{ include "ace.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "ace.labels" . | nindent 4 }}
+spec:
+  refs:
+  - apiGroup: ""
+    kind: Secret
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "ace.fullname" . }}-cert
+    key: "ca.crt"
 {{- end}}

charts/ace/templates/ingress/secret.yaml

@@ -1,4 +1,13 @@
 {{- if (eq .Values.global.infra.tls.issuer "external") }}
+
+{{ $data := dict
+    "tls.crt" .Values.global.infra.tls.certificate.cert
+    "tls.key" .Values.global.infra.tls.certificate.key
+}}
+{{- with .Values.global.infra.tls.ca.cert }}
+{{- $_ := set $data "ca.crt" . }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,5 +16,5 @@ metadata:
   labels:
     {{- include "ace.labels" . | nindent 4 }}
 type: kubernetes.io/tls
-stringData: {{ dict "tls.crt" .Values.global.infra.tls.certificate.cert "tls.key" .Values.global.infra.tls.certificate.key | toJson }}
+stringData: {{ $data | toJson }}
 {{- end }}

charts/ace/templates/platform/setup-job.yaml

@@ -1,5 +1,10 @@
 {{- $infra := .Values.global.infra -}}
 
+{{- $mountCACerts := or
+  (has $infra.tls.issuer (list "ca" "letsencrypt-staging"))
+  (and (eq $infra.tls.issuer "external") $infra.tls.ca.cert )
+}}
+
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -120,7 +125,7 @@ spec:
             - name: objstore-cred
               mountPath: {{ $infra.objstore.mountPath }}
             {{- end }}
-            {{- if (include "settings.caProviderClass" .) }}
+            {{- if $mountCACerts }}
             - name: cacerts
               mountPath: /etc/ssl/certs
             {{- end }}
@@ -147,14 +152,14 @@ spec:
             defaultMode: 420
             secretName: {{ $secretName }}
         {{- end }}
-        {{- with $cpc := (include "settings.caProviderClass" .) }}
+        {{- if $mountCACerts }}
         - name: cacerts
           csi:
             driver: cacerts.csi.cert-manager.io
             readOnly: true
             volumeAttributes:
               os: debian
-              caProviderClasses: {{ $cpc }}
+              caProviderClasses: {{ include "ace.fullname" . }}
         {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/service-presets/templates/egress-cert/ca.yaml

@@ -1,4 +1,10 @@
 {{- if (eq .Values.infra.tls.issuer "ca") }}
+
+{{- $data := dict
+    "tls.crt" .Values.infra.tls.ca.cert
+    "tls.key" .Values.infra.tls.ca.key
+}}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,5 +13,5 @@ metadata:
   labels:
     {{- include "service-presets.labels" . | nindent 4 }}
 type: kubernetes.io/tls
-stringData: {{ dict "tls.crt" .Values.infra.tls.ca.cert "tls.key" .Values.infra.tls.ca.key | toJson }}
+stringData: {{ $data | toJson }}
 {{- end }}

charts/service-presets/templates/egress-cert/caprovicerclass.yaml

@@ -13,4 +13,21 @@ spec:
     kind: Issuer
     namespace: {{ .Release.Namespace }}
     name: {{ include "service-presets.fullname" . }}
+
+{{- else if and (eq .Values.infra.tls.issuer "external") .Values.infra.tls.ca.cert }}
+
+apiVersion: cacerts.csi.cert-manager.io/v1alpha1
+kind: CAProviderClass
+metadata:
+  name: {{ include "service-presets.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "service-presets.labels" . | nindent 4 }}
+spec:
+  refs:
+  - apiGroup: ""
+    kind: Secret
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "service-presets.fullname" . }}-cert
+    key: "ca.crt"
 {{- end}}

charts/service-presets/templates/egress-cert/issuer.yaml

@@ -9,8 +9,12 @@ metadata:
     {{- include "service-presets.labels" . | nindent 4 }}
 spec:
   {{- if eq .Values.infra.tls.issuer "ca" }}
+  {{- if and .Values.infra.tls.ca.cert .Values.infra.tls.ca.key }}
   ca:
     secretName: {{ include "service-presets.fullname" . }}-ca
+  {{- else }}
+  selfSigned: {}
+  {{- end }}
   {{- end }}
   {{- if has .Values.infra.tls.issuer (list "letsencrypt" "letsencrypt-staging") }}
   acme:

charts/service-presets/templates/egress-cert/secret.yaml

@@ -1,4 +1,13 @@
 {{- if (eq .Values.infra.tls.issuer "external") }}
+
+{{- $data := dict
+    "tls.crt" .Values.infra.tls.certificate.cert
+    "tls.key" .Values.infra.tls.certificate.key
+}}
+{{- with .Values.infra.tls.ca.cert }}
+{{- $_ := set $data "ca.crt" . }}
+{{- end }}
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -7,5 +16,5 @@ metadata:
   labels:
     {{- include "service-presets.labels" . | nindent 4 }}
 type: kubernetes.io/tls
-stringData: {{ dict "tls.crt" .Values.infra.tls.certificate.cert "tls.key" .Values.infra.tls.certificate.key | toJson }}
+stringData: {{ $data | toJson }}
 {{- end }}

schema/ace-options/values.openapiv3_schema.yaml

@@ -822,6 +822,13 @@ properties:
             required:
               - email
             type: object
+          ca:
+            properties:
+              cert:
+                type: string
+              key:
+                type: string
+            type: object
           certificate:
             properties:
               cert:
@@ -838,6 +845,7 @@ properties:
             type: string
         required:
           - acme
+          - ca
           - certificate
           - issuer
         type: object